Twitter said that after investigating reports that data on upwards of 400 million users was being sold online, it found “no evidence” that was obtained by exploiting vulnerabilities in its systems.
The Elon Musk-owned social network provided details on the investigation in a blog post Wednesday. In December 2022, a hacker was claiming to be offering over 400 million Twitter-associated user emails and phone numbers for sale on the black market, according to press reports. Earlier this month, “a similar attempt to sell data from 200 million Twitter-associated accounts was reported in the media,” which, according to Twitter, was the same dataset that was reported in December with duplicates removed.
Based on its investigation, “there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” the company said. “The data is likely a collection of data already publicly available online through different sources.”
Twitter noted that in August 2022, the company disclosed that it had received a report in January of last year through its bug-bounty program of a vulnerability in Twitter’s systems that let someone use email addresses or phone numbers to reveal Twitter accounts associated with the info. The company said it updated its code in June 2021 to fix the bug.
In July 2022, Twitter “learned through a press report that someone had potentially leveraged [the vulnerability] and was offering to sell the information they had compiled,” the company said. “After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.” Twitter said it notified affected users “promptly” of the issue. Media reports in November said 5.4 million Twitter user accounts were being sold online; according to Twitter’s investigation, those were the same accounts that were exposed in August 2022.
Twitter said it is “in contact with data protection authorities and other relevant regulators” in different countries “to provide clarification about the alleged incidents.”
The company also said that, while no passwords were exposed in the incidents, it encourages all Twitter users to enable two-factor authentication using authentication apps or hardware security keys to protect against unauthorized logins.
“We also encourage Twitter users to remain extra vigilant when receiving any kind of communications over email, as threat actors may leverage the leaked information to create very effective phishing campaigns,” the company said in the blog post. “Be wary of emails conveying a sense of urgency and emails requesting your private information, always double check that emails are coming from a legitimate Twitter source.”
Since Musk acquired Twitter in a $44 billion deal in October, he laid off half of the company’s employees, claiming it was losing upwards of $4 million per day, and drove hundreds more out the door after he demanded they pledge to “extremely hardcore” working conditions. Twitter’s headcount has dropped by nearly 75% since Musk took over.
In December, Musk said he will step aside as CEO once he finds someone “foolish enough to take the job” but that he will continue to run the software and servers teams. That came after a straw poll Musk fielded about whether he should step down as CEO ended with the majority of votes cast in favor of him relinquishing the role.